logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



ApacheBench virus ?

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
Qmpeltaty



Joined: 06 Feb 2008
Posts: 182
Location: Poland

PostPosted: Tue 20 Aug '13 16:53    Post subject: ApacheBench virus ? Reply with quote

Few days ago one of the services running on Win2k8 R2 server has been blocked - i could not restart it because other process had blocked file used by that service. Blocking process was ILDIbBUhvXAJrVO.exe which runs file with the same name located in c:\windows\temp.

When process ILDIbBUhvXAJrVO.exe was killed from task manager i could finally restart the service (which is JBoss application server service, Apache fronted).

I've downloaded this file on my PC, but once download is finished Norton Antivirus on my PC reacts by raising virus alarm, and file has been immediately deleted.

I've checked suspicious file on non-NAV protected machine and the file Details shows :

File Description : ApacheBench command line utility
File version : 2.2.14.0
Product Name : Apache HTTP Server
Product version : 2.2.14
Original filename : ab.exe

It's strange, as Apache Web server is installed on the "infected" machine, but it's 2.4.4-x64, not 2.2.14 (actually 2.2.x has never been installed there).

I've made some reasearch, but i haven't found any ab.exe vulnerabilities for 2.2.14 Apache version.

Has anyone met such case ?
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2194
Location: Sun Diego, USA

PostPosted: Tue 20 Aug '13 20:18    Post subject: Reply with quote

I can compile binaries to say anything in the details, whether the info is correct or not is another story. Your last statement makes me believe this is the case since 2.2 has never been on the machine.

I doubt the file was ab.exe. But you can always run the ab.exe you do have through www.virustotal.com.
Back to top
zarat



Joined: 12 Sep 2018
Posts: 1
Location: Vienna

PostPosted: Wed 12 Sep '18 17:29    Post subject: Meterpreter Trojaner Reply with quote

Auch wenn der Thread schon alt ist, ist das Thema noch aktuell! Also falls jemand das selbe Problem hat - der Meterpreter, wenn mittels reverse_https verbunden tarnt sich unter diesem Namen. Das bedeutet, jemand ist bereits auf dem System und hat einen Server laufen der nach Hause telefoniert. Ich arbeite viel mit dem Metasploit Framework, das ist ganz sicher ein Meterpreter reverse_https Trojaner!

https://blog.rapid7.com/2011/06/29/meterpreter-httphttps-communication/

Mod note ( translation)

Even though this thread is rather old, it is still relevant. If someone has the same problem - the Meterpreter (from Metasploit), if connected via reverse_https, is hiding under the same name. That means that it is already on the system and calls home. I work a lot with the Metasploit Framework, and I'm sure it hs the Meterpreter reverse_https Trojan.

Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6600
Location: Germany, Next to Hamburg

PostPosted: Thu 13 Sep '18 16:03    Post subject: Re: Meterpreter Trojaner Reply with quote

zarat wrote:
das ist ganz sicher ein Meterpreter reverse_https Trojaner!

Mod note ( translation)

I'm sure it hs the Meterpreter reverse_https Trojan.



I disagree. We often had that false positive with some virus scanner with the binary compiled from source. In some cases it might bem but ab.exe is generell is not evil.

And please post english in this forum Wink
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1